PKI Blog

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor. CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

If you’re reading this, there’s a good chance you’ve already seen thereportsabout the security ramifications of issuing certificates to mobile devices using the Simple Certificate Enrollment Protocol (more information on our site here). We’ve received many inquiries about how to determine whether a given system is at risk, and if so, what levels of exposure may be involved. Complicating the issue is the sheer number of Mobile Device Management (MDM) products that exist, and the wide variety of configuration options within them. Because of all this variability, simply asking, “Is {Product X} affected?” can lead to over-simplified answers that might still leave you exposed to risk.

Assessing the risk of a given MDM deployment can be a bit nuanced, as there are a number of factors that come into play. The primary criteria to examine when making an assessment are:

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.